Lucent Technologies 1200 Te Chn I Cal, Specificat, Ions, Services Supported, Content Security

Services Supported

•Bootp, http, irc, netstat, pop3, SNMP, tftp, pptp, dns, https, kerberos, nntp, rip, ssh, who, RADIUS, eigrp, ident, LDAP, ntp, rip2, syslog, shell, X11, exec, gmp, login, OSPF, rlogin, telnet, talk, H.323, SIP, ftp, imap, mbone, ping, rsh, traceroute, lotus notes, VoIP/SIP, Gopher, IPSec, netbios, pointca st, mtp, sql*net

•Any IP protocol (user definable)

•Any IP protocol + layer 4 ports (user definable)

•Support for non-IP protocols as defined by SAP/Ethertype

Layer-7 Application Support

•Application Filter architecture supports layer-7 protocol inspection (deep packet inspection) for command and protocol validation, protocol a nomaly detection, dynamic channel pinholes and application layer address translation. Application filters include http, ftp, RPC, tftp, H.323/H.323 RAS, SMTP, Oracle SQL*Net, NetBIOS, ESP, DHCP Relay, DNS, GTP, and SIP

Firewall Attack Detection

and Protection

•Generalized Day 0 anomaly-based flood protection with patent-pending Intellig ent Cache Management Protections

•SYN flood protection to specifically protect inbound servers, e.g. Web servers, from inbound TCP SYN floods

•Strict TCP validation to ensure TCP session state enforcement, validation of sequence and ac knowledgement numbers,

•Rejection of bad TCP flag combinations

•Initial Sequence Number (ISN) rewriting for weak TCP stack implementa tions

•Fragment flood protection with robust fragment reassembly, ensures no partial or overlapping fragments are transmitted

•Generalized IP packet validation including detection of malformed packets

•DoS mitigations for over 190 DoS attacks, including ping of death, land attack, tear drop attack, etc.

•Drops bad IP options as well as source route options

•Connection rate limits to minimize effects of new attacks.

QoS/Bandwidth Management

•Classified by physical port, virtual firewall, firewall rule, session bandwidth guarantees – Into and out of virtual firewall, allocated in bits/second

•Bandwidth limits - Into and out of virtual firewall, allocated in bits/second, packets/ session, sessions/second

•ToS/DiffServ marking and matching

•Integrated with application layer filters

Content Security

•HTTP Filter Keyword support integrated with HTTP Application Filter

•Basic content filtering with configurable whitelist/blacklist and content keyword matching.

•URL redirection for blacklist sites

•Rules-based routing feature for HTTP, SMTP and FTP features (Security Management Server v9.1 or later)

¬Interoperates with all 3rd party Anti-virus, Anti-Spam, and Content Filtering systems

¬Redirects only protocol-specific packets to 3rd party systems performing Anti-virus, Anti-spam, and content filtering services.

•Application-layer protocol command recognition and filtering

•Application-layer command line length enforcement

•Unknown protocol command handling

•Extensive session-oriented logging for application-layer commands and replies

•Hostile mobile code blocking (Java®, ActiveX™)

Firewall User Authentication

•Browser-based authentication allows authentication of any user protocol

•Built-in internal database – user limit 10,000

•Local passwords, RADIUS, SecurID

•User assignable RADIUS attributes

•Certifica te authentication

VPN

•Maximum number of dedicated VPN tunnels – 7,500

•Manual Key, IKEv1, IKEv2, DoD PKI, X.509

•3DES (168-bit), DES (56-bit)

•AES (128, 192, 256-bit)

•SHA-1 and MD5 authentication/integrity

•Replay attack protection

•Remote access VPN

•Site-to-site VPN

•IPSec NAT Traversal/UDP encapsulated IPSec

•IKEv2 IPSec NAT Traversal and dead peer detection

•LZS compression

•Spliced and nested tunneling

•Fully meshed or hub and spoke site-to-site VPN

VPN Authentication

•Local passwords, RADIUS, SecurID, X.509 digital certificates

•PKI Certificate requests (PKCS 12)

•Automatic LDAP certificate retrieval

•DoD PKI

High Availability

•VPN Firewall Brick security appliance to VPN Firewall Brick security appliance active/passive failover with full synchronization

•400 millisecond device failure detection and activation

•Session protection for firewall, VoIP and VPN

•Link failure detection

•Alarm notification on failover

•Encryption and authentication of session synchronization traffic

•Self-healing synchronization links

•Pre-emption and IP tracking for improved health state checking

•Seamless system upgrade with no downtime for redundant deployments